Are you Prepared for the EU General Data Protection Regulation?
With the implementation of GDPR on our doorstep, companies risk serious vulnerability in the face of data protection. This week Finance Monthly has heard from Rafi Azim-Khan and Steven Farmer of Pillsbury Law, who gave us a rundown on how you need to prepare for the regulatory changes.
From the debate about the UK’s ‘Snooper’s Charter’, to a number of high-profile cyber-attacks and the wrangling, both legal and political, over the abolition of the EU-US data sharing treaty, Safe Harbour, data privacy has remained firmly in the media spotlight in recent months.
Following the most significant overhaul of the EU data protection regulations in recent years set to come into effect with the introduction of the EU General Data Protection Regulation (GDPR) in May 2018, this trend looks set to continue.
The GDPR rips up the existing legal framework and provides for the imposition of heavy fines. Equally seismic is the fact that the new rules have an extra-territorial reach, catching companies who traditionally did not need to prioritise data protection laws.
Significantly, however, few businesses are reported to have actually looked at what they need to do to ensure compliance under the GDPR. As the time until enforcement dwindles, it is essential that firms act, as the UK data protection regulator has said herself. So what do companies actually need to be aware of?
The letter of the law
The GDPR replaces the current EU Data Protection Directive 95/46/EC. As a Regulation, and unlike the old law, the new laws will be directly applicable in all EU member states.
Specific changes introduced include the following:
- Accountability – crucially, those caught will be required to show compliance e.g. (i) maintain certain documents; (ii) carry out Privacy Impact Assessments; (iii) implement Privacy by Design and Default (in all activities), requiring a fair amount of upfront work.
- Data protection officers (DPOs) – in many circumstances, those caught by the GDPR will also need to appoint DPOs and so thought will need to be given as to whether this applies and, if so, who that person or persons might be.
- Consent – new rules are also introduced relating to the collection of data, e.g., consent must be “explicit” for certain categories. Existing consents may no longer therefore be valid and consents obtained should be purged going forward.
- Enhanced rights for individuals – new rights are introduced around (i) subject access; (ii) objecting to processing; (iii) data portability; and (iv) objecting to profiling, amongst others.
- Privacy policies – fair processing notices now need to be more detailed, e.g., new information needs to be given about these new enhanced rights for individuals. Policies will need updating therefore.
- International transfers – Binding Corporate Rules for controllers and processors as a means of legitimising transfers are expressly recognized for the first time and so should be considered as a transfer mechanism.
- Breach notification – new rules requiring breach reporting within 72 hours (subject to conditions) are introduced and so processes in place (or not) will need to be revisited to accommodate these rules.
Of course, with the UK set to leave the European Union, there is much ongoing discussion about what the post-Brexit regulatory regime may look like. It is generally accepted, however, that after the UK leaves the EU, UK laws will nevertheless track the GDPR (e.g. via some form of implementing legislation or a new UK law which effectively mirrors the GDPR). In other words, even if you are purely a UK company, or you are outside the UK and targeting UK consumers only, you should not ignore these changes on the basis Brexit is some sort of get out of jail free card.
Who needs to comply?
All organisations operating in the EU will be caught by the new rules. Importantly, organisations outside the EU, like US-based companies that target consumers in the EU, monitor EU citizens or offer goods or services to EU consumers (even if for free), will also have to comply.
The GDPR also applies to “controllers” and “processors”. What this means, in summary, is that those currently subject to EU data protection laws will almost certainly be subject to the GDPR and processors (traditionally not subject) will also have significantly more legal liability under the GDPR than was the case under the prior Directive.
What can businesses do to prepare?
To ensure compliance, companies need to ensure that they have robust policies, procedures and processes in place. With the risk of heavy fines under the GDPR, not to mention the reputational damage and potential loss of consumer confidence caused by non-compliance, nothing should be left to chance. In terms of key first steps, companies might consider prioritising the following as a minimum:
- Review privacy notices and policies – ensure these are GDPR compliant. Do they provide for the new rights individuals have?
- Prepare/update the data security breach plan – to ensure new rules can be met if needed.
- Audit your consents – are you lawfully processing data? Will you be permitted to continue processing data under the GDPR?
- Set up an accountability framework – e.g., monitor processes, procedures, train staff.
- Appoint a DPO where required.
- Consider if you have new obligations as a processor – is your contractual documentation adequate? Review contracts and consider what changes will be required.
- Audit your international transfers – do you have a lawful basis to transfer data?
As May 2018 draws inexorably closer, companies need to start thinking about compliance before it is too late to avoid being made an example of. As the old adage goes: those who fail to prepare, prepare to fail.